<div>I still blocked by the above question, </div>
<div>and I found a page that seems useful for me.</div>
<div><a href="http://linux.die.net/man/5/wpa_supplicant.conf">http://linux.die.net/man/5/wpa_supplicant.conf</a></div>
<div> </div>
<div>At the bottom of this page,</div>
<div>it describes the certificates.</div>
<div>But I have one question,</div>
<div>where does the file "example.pfx" come from?</div>
<div>What data is recorded in it?</div>
<div>
<h2>Certificates</h2>
<p>Some EAP authentication methods require use of certificates. EAP-TLS uses both server side and client certificates whereas EAP-PEAP and EAP-<span class="highlight2">TTLS</span> only require the server side certificate. When client certificate is used, a matching private key file has to also be included in configuration. If the private key uses a passphrase, this has to be configured in wpa_supplicant.conf ("private_key_passwd").
</p>
<p>wpa_supplicant supports X.509 certificates in <span class="highlight1">PEM</span> and DER formats. User certificate and private key can be included in the same file. </p>
<p>If the user certificate and private key is received in PKCS#12/PFX format, they need to be converted to suitable <span class="highlight1">PEM</span>/DER format for wpa_supplicant. This can be done, e.g., with following commands:
</p>
<blockquote>
<p><br></p><pre class="code"># convert client certificate and private key to <span class="highlight1">PEM</span> format
openssl pkcs12 -in example.pfx -out user.<span class="highlight1">pem</span> -clcerts
# convert <span class="highlight0">CA</span> certificate (if included in PFX file) to <span class="highlight1">PEM</span> format
openssl pkcs12 -in example.pfx -out <span class="highlight0">ca</span>.<span class="highlight1">pem</span> -cacerts -nokeys</pre></blockquote></div>